,

etc) -->Introduction

An alternate to forms authentication to authenticate user using database, you can use basic authenication (without adding user records to Active directory). I was wondering if it is possible to use IE’s (browser) built in login dialog box for my authentication when I saw it for the first time while learning SAMBA long year back. Trying to make it work, without IIS configuration in ASP classic. Then found an interesting topic on PHP basic authentication while googling. In PHP it has built in server variables for handling basic authentication.Some whitepapers helped me lot learn the mechanism of this authentication. The day was the first successful day for me to do something by my own when I solved this with ASP. While having a vacation last week it came to my mind after seeing a passport login dialog of MSN and thought to migrate my old piece of code to ASP.NET by handling events in global.asax file. Finally found HttpModule the best way to implement it.

You are most welcome if you have a better idea. Please post your comments.

Background

Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.

Using the code

This works by sending 401 status code and response header WWW-Authenticate in order to pop up the browser login dialog box and validate the information sent as Base64 encoded during AuthenticateRequest event of application.

The base class for authentication handler is BaseAuthenticationModule. You should extend the Authenticate method of this class to implement you authentication logic which returns a GenericPrincipal object. You can still you favorite User.IsInRole() to use role based authorization.

Additionally as any other http module, you have to write a configuration element to register in web.config and deny unauthenticated users ? in authorization element. Rest is almost on you how you handle your authentication logic. Additionally you must not forget, this scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as clear text.

Points of Interest

By default the entire application get secured when we deny anonymous user access in the root web's authorization, where in place you may be intrested to secure only part of the application and allowing the root accessible to all. You can use location element in your web.config file to customise access control list. This is simply great a great feature to use declarative security in ASP.NET. Not only by user, you can restrict different parts of the application by roles as well. Implementing role based authorization with form based authentication mechanism is quite complex to handle. But you are enjoy the freedom of maintaining user accounts with Activedirectory especially while deploying with a public web hosting service.

Debugging becomes a problem while testing with this feature with visual studio. Instead you can attach process aspnet_wp.exe and invoke the page from your browser, the way I did.

This mechanism only works when IIS’s authentication is turned off and anonymous access is enabled. I got scared to see this not working while testing before publishing this article. I had accidentally enabled integrated authentication to debug other parts of the code.

In another article I have written to use it with Struts Action Servlet for J2EE based application.

History

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

Share

About the Author

[MCSD, MCDBA]
I have been with IT since past 6+ years, working as software engineer for IBM Kolkata. .NET is the platform of my choice and coding with C# since its evolution. Please join .NETIndia http://groups.yahoo.com/group/dotnetindia group for more articles & .NET discussions.

Comments and Discussions

I have an XML data source control that is reading an xml file from another site (external URL) - I was givven the user name & password to access this file but I need to use basic authentication for that...meaning, everytime the page is displayed the XML feed should be available.

Can anybody tip me as to how this should be done?

[Most of the literature available is describing the opposit operation]